Re: IWS, Rest API, and HTTPS

Hi,

IWS documentation is lagging. We hope to update the documentation this year. So the technology updates link should be your source for information on new enhancements in IWS. The web site is:

https://www.ibm.com/support/pages/integrated-web-services-ibm-i-web-services-made-easy

Some things to consider are listed below.

System:

* Always stay on latest HTTP and Java group PTFs.

Networking:

* Have a firewall, and open only ports that are required
* Run TLS

API:

* Do you need authentication mechanism? Built-into the IWS server you can implement basic authentication based on user profiles, validation lists, or IFS file[1]. You can designate what role a user should have to access the API. In addition, you can create your own authentication mechanism using Trust Association Interceptor[2].
* Once the user has been authenticated, you can run the API under the authenticated user ID or under a single user ID.

Logging:

* Enable HTTP access logging[3] and/or
* Enable HTTP message logging[4]

[1] https://www.ibm.com/support/pages/node/6396442
[2] https://www.ibm.com/support/pages/node/6396908
[3] https://www.ibm.com/support/pages/node/6566801
[4] https://www.ibm.com/support/pages/node/6566799


---------------------------------------------------
Nadir Amra
e-mail: amra@xxxxxxxxxx

From: WEB400 <web400-bounces@xxxxxxxxxxxxxxxxxx> on behalf of Stephen Piland <Stephen@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tuesday, May 31, 2022 at 3:24 PM
To: web400@xxxxxxxxxxxxxxxxxx <web400@xxxxxxxxxxxxxxxxxx>
Subject: [EXTERNAL] [WEB400] IWS, Rest API, and HTTPS
I apologize in advance if this topic has been covered in ad nauseum... We have a simple Rest API that is currently running in IWS within the firewall of the company. We'd like to open it up to outside of the confines and want to run in a more secure way.

What are the high level steps to make this happen? We are currently on the latest TL of 7.3 of the OS. Is there a white paper on this?